Computer systems are increasingly communicating over networks. This increased network communication may make security more important. Authentication protocols, both two-party authentication and three-party authentication, are known in the art to provide secure communications. A two-party authentication protocol (or 2PAP) is described in a publication entitled Systematic Design of a Family of Attack-Resistant Authentication Protocols by R. Bird, I. Gopla, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Young and published in the Proceedings of Crypto '91 in August 1991. Two-party authentication protocols, in particular, are the subject of the present invention.
Authentication protocols were created to protect the integrity of communications sent across networks. One effort at improving network security is known as Kerberos, a network security service originally developed at MIT and a subsequently incorporated into a number of architectures and commercial offerings. For more information on Kerberos, see "The Kerberos Network Authentication Service Overview" by J. Steiner, published in MIT Project Athena RFC, Draft 1, April 1989; and "Kerberos: An Authentication Service for Open Network Systems" by J. Steiner, C. Neuman, J. Schiller and published in Proceedings of USENIX Winter Conference, February 1988.
Although the Kerberos methodology is well known, several limitations were uncovered as the technology evolved. These limitations facilitated the development of KryptoKnight.
KryptoKnight is an authentication and key distribution mechanism for users or applications communicating in a network environment. KryptoKnight introduced an authentication and key distribution protocol that allowed it to withstand attack more securely. KryptoKnight is described in detail in the publication entitled "KryptoKnight Authentication and Key Distribution System" by Molva et al., proceedings of the CRYPTO '91, pages 155-174, the disclosure of which is hereby incorporated herein by reference.
The KryptoKnight Authentication and Key Distribution System can provide a secure session between a client and a server that communicate with each other over a network. Moreover, secure communications may be provided between a client and an authentication server that stores passwords for a plurality of clients thereon. Unfortunately, it may be possible for an intruder to gain access to the authentication server and thereby discover the encrypted passwords. In this case, KryptoKnight may not detect the fact that a new client is using the stolen password for access.